Bug 2342463 (CVE-2024-45339)

Summary: CVE-2024-45339 github.com/golang/glog: Vulnerability when creating log files in github.com/golang/glog
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aarif, abuckta, adudiak, agarcial, ahrabovs, alcohan, aoconnor, aprice, asegurap, aucunnin, bdettelb, brainfor, caswilli, ckandaga, cmah, crizzo, dfreiber, dkuc, doconnor, drow, fjansen, gparvin, gtanzill, jbalunas, jburrell, jcantril, jdobes, jeder, jforrest, jkoehler, jmitchel, jsamir, jsherril, jtanner, jvasik, kaycoth, kgaikwad, kshier, lball, ldai, ljawale, lphiri, lsharar, lucarval, luizcosta, mpierce, mstoklus, ngough, nweather, oezr, omaciel, orabin, owatkins, pahickey, periklis, pvasanth, rblanco, rbobbitt, rhaigner, rochandr, rojacob, stcannon, sthirugn, teagle, veshanka, vkrizan, vkumar, vmugicag, yguenane, zkayyali
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in glog, a logging library. This vulnerability allows an unprivileged attacker to overwrite sensitive files via a symbolic link planted in a widely writable directory, exploiting the log file path predictability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2342517, 2342518, 2342528, 2342529, 2342530, 2342531, 2342532, 2342533, 2342534, 2342535, 2342536, 2342519, 2342520, 2342521, 2342522, 2342523, 2342524, 2342525, 2342526, 2342527, 2361093    
Bug Blocks:    

Description OSIDB Bzimport 2025-01-28 02:01:13 UTC 
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.
Comment 4 errata-xmlrpc 2025-07-29 01:19:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2025:11675 https://access.redhat.com/errata/RHSA-2025:11675
Comment 5 errata-xmlrpc 2025-07-29 07:05:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2025:11673 https://access.redhat.com/errata/RHSA-2025:11673
Comment 6 errata-xmlrpc 2025-07-30 13:13:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:11681 https://access.redhat.com/errata/RHSA-2025:11681
Comment 7 errata-xmlrpc 2025-07-30 19:44:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:11679 https://access.redhat.com/errata/RHSA-2025:11679
Comment 8 errata-xmlrpc 2025-07-30 22:11:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:11677 https://access.redhat.com/errata/RHSA-2025:11677
Comment 10 errata-xmlrpc 2025-08-05 05:44:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2025:12341 https://access.redhat.com/errata/RHSA-2025:12341
Comment 11 errata-xmlrpc 2025-08-06 22:53:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:12439 https://access.redhat.com/errata/RHSA-2025:12439
Comment 12 errata-xmlrpc 2025-08-06 22:56:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:12372 https://access.redhat.com/errata/RHSA-2025:12372
Comment 13 errata-xmlrpc 2025-08-07 00:32:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:12325 https://access.redhat.com/errata/RHSA-2025:12325
Comment 14 errata-xmlrpc 2025-08-07 00:33:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:12370 https://access.redhat.com/errata/RHSA-2025:12370
Comment 15 errata-xmlrpc 2025-08-07 01:16:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:12437 https://access.redhat.com/errata/RHSA-2025:12437
Comment 16 errata-xmlrpc 2025-08-13 01:15:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:13327 https://access.redhat.com/errata/RHSA-2025:13327
Comment 17 errata-xmlrpc 2025-08-13 01:45:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:13338 https://access.redhat.com/errata/RHSA-2025:13338
Comment 18 errata-xmlrpc 2025-08-13 05:40:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:13336 https://access.redhat.com/errata/RHSA-2025:13336
Comment 19 errata-xmlrpc 2025-08-13 05:49:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:13325 https://access.redhat.com/errata/RHSA-2025:13325
Comment 20 errata-xmlrpc 2025-08-14 01:27:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:13291 https://access.redhat.com/errata/RHSA-2025:13291
Comment 21 errata-xmlrpc 2025-08-14 04:08:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:13289 https://access.redhat.com/errata/RHSA-2025:13289